pavement

PF, quick reference guide

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (Tables)
Line 2: Line 2:
 
* Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section.
 
* Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section.
  
* Tables - Variables for IP's are defined here. This can be also set by the "overload" argument from rules in the filtering section.
+
* Tables - Variables for IP's are defined here. This can be also set by the {{code|overload}} argument from rules in the filtering section.
  
 
* Options - Options lines start with "set"
 
* Options - Options lines start with "set"
Line 25: Line 25:
 
  table <'''ipvariable'''>
 
  table <'''ipvariable'''>
 
  table <'''ipfile'''> file "'''/dir/file'''"
 
  table <'''ipfile'''> file "'''/dir/file'''"
Files can also be used to set table variables as shown in the example with the {{code|file}} argument.
+
Files can also be used to set table variables as shown in the example with the {{code|file}} argument. {{code|overload < >}} from the "filter rules" section can also set variable ips here, for instance for mapping brute force ips.
  
 
==Filter rules==
 
==Filter rules==

Revision as of 10:01, 5 December 2015

PF is divided into the sections:

  • Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section.
  • Tables - Variables for IP's are defined here. This can be also set by the overload argument from rules in the filtering section.
  • Options - Options lines start with "set"
  • Scrub - Scrub packets
  • Queueing -
  • Translation - Nat translation settings
  • Filter rules - Here is where rules are set up. PF rules work where the last line takes effect over the lines before it.

Contents

Macros

Macros are defined with an = equal sign with arguments to be used in the rules in " quotes.

wireless_card_to_internet="ath0"
tcp="{ http ntp 443 }"

To reference these later use $, for instance $tcp. This simply allows lists to be kept neatly instead of having to retype the same lines inconveniently, or allows a simple change to be made without replacing all references to the change.

Tables

IP table variable settings are kept here, and not in the macros section. This has uses for your network gateways, and for ips generated by PF filter rules, for instance tracking brute force attempts. These rules start with table, and have use < > to define the variables.

table <ips>
table <ipvariable>
table <ipfile> file "/dir/file"

Files can also be used to set table variables as shown in the example with the file argument. overload < > from the "filter rules" section can also set variable ips here, for instance for mapping brute force ips.

Filter rules

Syntax

[action] [direction] log quick on $interface [af] proto $protocol from $ip port $port to $ip port $port flags $tcpflags [state] ([state options])

  • action - block, pass
  • direction - in, out
  • log - log, log (all)
  • interface - network interface
  • af - inet, inet6
  • proto - tcp, udp, sctp, icmp6; see /etc/protocols
  • port - see /etc/services. Can be a number or named.

Some arguments are optional, depending on circumstances.

References

Personal tools